Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 202.79.172.110 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
- TCP Requests
GET
200
http://202.79.172.110:8000/1
REQUEST
RESPONSE
BODY
GET /1 HTTP/1.1
Host: 202.79.172.110:8000
Cache-Control: no-cache
HTTP/1.1 200 OK
content-length: 538224
etag: "0:83670:653e70d1:2afd440c"
accept-ranges: bytes
last-modified: Sun, 29 Oct 2023 14:48:49 GMT
content-type: application/octet-stream
content-disposition: attachment; filename="1"
date: Sat, 11 Nov 2023 07:49:16 GMT
GET
200
http://202.79.172.110:8000/2
REQUEST
RESPONSE
BODY
GET /2 HTTP/1.1
Host: 202.79.172.110:8000
Cache-Control: no-cache
HTTP/1.1 200 OK
content-length: 135352
etag: "0:210b8:651fe10e:344714c"
accept-ranges: bytes
last-modified: Fri, 06 Oct 2023 10:27:26 GMT
content-type: application/octet-stream
content-disposition: attachment; filename="2"
date: Sat, 11 Nov 2023 07:49:17 GMT
GET
200
http://202.79.172.110:8000/3
REQUEST
RESPONSE
BODY
GET /3 HTTP/1.1
Host: 202.79.172.110:8000
Cache-Control: no-cache
HTTP/1.1 200 OK
content-length: 78336
etag: "0:13200:65423c0c:0"
accept-ranges: bytes
last-modified: Wed, 01 Nov 2023 11:52:44 GMT
content-type: application/octet-stream
content-disposition: attachment; filename="3"
date: Sat, 11 Nov 2023 07:49:17 GMT
GET
200
http://202.79.172.110:8000/4
REQUEST
RESPONSE
BODY
GET /4 HTTP/1.1
Host: 202.79.172.110:8000
Cache-Control: no-cache
HTTP/1.1 200 OK
content-length: 367269
etag: "0:59aa5:653e5a7f:37d9d424"
accept-ranges: bytes
last-modified: Sun, 29 Oct 2023 13:13:35 GMT
content-type: application/octet-stream
content-disposition: attachment; filename="4"
date: Sat, 11 Nov 2023 07:49:17 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 202.79.172.110:8000 -> 192.168.56.103:49163 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 202.79.172.110:8000 -> 192.168.56.103:49163 | 2023711 | ET MALWARE JS/WSF Downloader Dec 08 2016 M7 | A Network Trojan was detected |
| TCP 202.79.172.110:8000 -> 192.168.56.103:49163 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 202.79.172.110:8000 -> 192.168.56.103:49163 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
| TCP 202.79.172.110:8000 -> 192.168.56.103:49163 | 2014520 | ET INFO EXE - Served Attached HTTP | Misc activity |
| TCP 202.79.172.110:8000 -> 192.168.56.103:49163 | 2015744 | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) | Misc activity |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts